The hackers who hit the Los Angeles Unified School District (LAUSD) with ransomware over Labor Day weekend have now issued a ransom payment demand, according to the district superintendent.
On Tuesday, superintendent Alberto Carvalho told the Los Angeles Times that a demand had been made but that the district had not responded. Carvalho declined to reveal the amount of money demanded.
The extortion attempt represents an inevitable escalation in the ransomware attack — which targeted the nation’s second-largest school district just as pupils began to return after the summer break — and raises questions over what sensitive information the hackers may have been able to obtain.
Though the attack caused disruption to some of the school’s email systems and other applications, other critical systems such as the MiSiS student management system were recovered and brought back online shortly afterward. But in a press conference held Wednesday, Carvalho said that the hackers had likely accessed data from MiSiS, including certain information on students.
“We believe that some of the data that was accessed may have some students’ names, may have some degree of attendance data, but more than likely lacks personally identifiable information or very sensitive health information or Social Security number information,” Carvalho told local reporters, as quoted by Deadline.
Although the ransomware attack has not been officially attributed, there are many signs that it was carried out by a cyber gang known as Vice Society. Shortly after the LAUSD attack came to light, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about Vice Society ransomware that was specifically targeting K-12 institutions in the US, though the LA school district was not named as a target. Following CISA’s cybersecurity advisory, Vice Society took credit for the attack in communications with journalists.
Details published by CISA describe Vice Society as an “intrusion, exfiltration, and extortion hacking group” that used double extortion tactics: locking systems and threatening to publicly release data unless a ransom is paid. The group was becoming more active in sync with the start of the academic year, CISA said, when the potential impact of ransomware attacks on schools was greatest.
Though the recent attack is the only time the LA school system has been successfully targeted, it has encountered a near-miss at least once in the past. In the wake of the Labor Day attack, cybersecurity researchers at Hold Security revealed that they had previously detected a device linked to the school district within a malware botnet but had disclosed the findings in time for further attacks to be prevented.